Criminal complaint against hacker: Chaos Computer Club railed against CDU


Criminal complaint against hacker
Chaos Computer Club railed against CDU

A hacker from the Chaos Computer Club reports to the CDU that one of the party’s app has a security flaw. She apologizes and takes the app offline. But a criminal complaint is filed against the hacker. The CCC draws conclusions.

The hacker association Chaos Computer Club (CCC) will no longer report any security gaps to the CDU in the future. That goes from a Message of the association. The background is therefore a criminal complaint against a CCC activist who had pointed out weaknesses in an election campaign app of the CDU.

According to CCC, software developer Lilith Wittmann had the “CDUconnect” app in May analyzed, with which the party coordinates its doorstep campaign by documenting visits and gathering information about them. Wittmann determined that personal data such as e-mail addresses and photos of 18,500 campaign workers are “unprotected and freely accessible via the Internet” via the app. The same applies to data from 1350 supporters of the CDU, from whom addresses, dates of birth and interests were accessible.

According to the CCC announcement, Wittmann reported the app’s weaknesses to the CDU, but also to the Federal Office for Information Security (BSI) and the Berlin data protection officer. The insecure database was then switched off.

CDU admitted a loophole

The CDU confirmed the security gap at the time. The party announced in May that the data of 17,000 registered election campaigners and the address data of around 1,300 citizens who had asked questions could be viewed quoted by “Spiegel”. “The CDU of Germany is very sorry for the incident and we apologize for the inconvenience caused,” it said.

The app was temporarily deactivated, but is now available again. “By examining our IT structure, Lilith Wittmann pointed out a security gap in our app that made it necessary to take the app off the server as a precaution,” one said at the time Twitter entry to the app.

However, the whole thing now has legal consequences for Wittmann. Like her on Twitter on Tuesday made public, a criminal complaint was filed against her. She was therefore contacted by the Cyber ​​State Criminal Police Office Berlin and is being led as a suspect in an investigation in connection with the app. What exactly she is accused of is unclear. Likewise, from whom the criminal complaint originates. According to the page “netzpolitik.org“said the agency PXN, which is responsible for the app, that it has not initiated any legal action. According to the CCC, however, the CDU already held out the prospect of legal action when Wittmann contacted them about the vulnerability. The party went to ntv.de. -The demand for this has not yet responded.

CCC calls CDU “ungrateful”

The Chaos Computer Club has sharply criticized the CDU’s approach. The process of reporting weaknesses to the perpetrators and only reporting on them when the danger for those affected has been averted – called “responsible disclosure” – has become established in the IT security culture, writes the CCC in the press release. “Unfortunately, the CDU turns out to be extremely ungrateful for the voluntary tuition,” it continues.

Criticism also came from the Society for Freedom Rights. The case is a “bitter example of our dysfunctional IT criminal law”, tweeted their co-founder Ulf Buermeyer. “Actually, it should improve IT security! Those who put the personal data of thousands of people at risk should be punished – but not those who find security gaps and disclose them responsibly.”

In any case, the CCC draws conclusions: “In order to avoid future legal disputes, we are unfortunately forced to forego reporting weaknesses in CDU systems,” said CCC spokesman Linus Neumann. The CCC regrets that this increases the risk that data will be published before weaknesses are eliminated. “As a precautionary measure, we reject responsibility for future publications of this kind”, it continued – and: “CCC wishes CDU the best of luck with future weak points”.

According to its own account, the Chaos Computer Club is the largest European hacker association. The decentralized association with its almost 8,000 members sees itself as a non-governmental organization that is best known for uncovering digital security gaps. In addition, the CCC regularly expresses itself on digital policy issues.

.